ISO ____ is the ISO standard for the performance of risk management, and includes a five-stage risk management methodology. Show Residual risk is a combined function of all but which of the following? A) A threat less the effect of
threat-reducing safeguards D. Residual risk less a factor of error ____ feasibility determines acceptable practices based on consensus and relationships among the communities of interest. Asset valuation must account for value _____. D. from providing the information, acquired from the cost of protecting the asset, and of intellectual property Once a control strategy has been selected and implemented, controls should be ____ on an ongoing basis to determine their effectiveness and to estimate the remaining risk. Communicating new or revised policy to employees is adequate to assure compliance. The goal of information security is to bring residual risk in line with an organization’s risk appetite. ____ feasibility is also referred to as behavioral feasibility. When a vulnerability (flaw or weakness) exists, you should implement security policies to reduce the likelihood of a vulnerability being exercised. At a minimum, each information asset–threat pair should have a(n) ____ that clearly identifies any residual risk that remains after the proposed strategy has been executed. B. documented control strategy The risk control strategy of avoidance means understanding the consequences and avoiding risk by not placing a system in a situation that could result in a loss.. The goal of information security is to bring residual risk to zero. The ____ is the indication of how often you expect a specific type of attack to occur. Which of the following plans would not be a considered a mitigation control approach? In Risk Management is asset valuation, as it is relatively easy to determine accurately the true valuate of information and information-bearing assets. ____ is
the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. Cost Benefit Analysis is determined by calculating the single loss expectancy before new controls minus the annualized loss expectancy after controls are implemented minus the annualized cost of the safeguard. The Annualized Loss Expectancy in the CBA formula is determined as ____. Which of the following is NOT an alternative to cost-benefit analyses? D. ISO 17799 based controls The only use of the acceptance strategy that industry practices recognize as valid occurs when the organization has done all but which of the following? Determined that the particular function, service, information, or asset did justify the cost of additional protection Before deciding on the risk control strategy for a specific vulnerability, an organization must explore all readily accessible information about the ____ consequences of the vulnerability. C. economic and non-economic Asset evaluation is the process of assigning financial worth to each information asset. Application of training and education is a technique of the ____ control strategy. An organization that chooses to outsource its risk management practice to independent consultants is taking the ____ control approach. A) avoidance B)
mitigation C) transference D) acceptance ____ is usually determined by valuing the information asset or assets exposed by the vulnerability and then determining how much of that value is at risk, and how much risk exists for the asset. A) Risk B) Asset value C) Cost D) Benefit A system’s exploitable vulnerabilities are usually determined after the system is designed. Step-by-step rules to regain normalcy is covered by which of the following plans in the mitigation control approach? A) Incident response plan B) Business continuity plan C) Disaster recovery plan D) Damage control plan C. Disaster recovery plan Economic feasibility is a standard that is commonly used when evaluating a project that implements information security safeguards. Risk appetite (also known as risk tolerance) is the quantity and nature of risk that organizations are willing to accept as they evaluate the trade-offs between perfect security and unlimited accessibility. Some organizations document the outcome of the control strategy for each information
asset–threat pair in a(n) _____, which includes concrete tasks with accountability for each task being assigned to an organizational unit or to an individual. A) risk management plan B) control strategy C) cost-benefit analysis D) action plan The original OCTAVE method, which forms the basis for the OCTAVE body of knowledge was designed for large organizations with 300 or more users, while OCTAVE-Allegro
was designed for smaller organizations of about 100 users. True - per test bank False - per book Which of the following is NOT among the items that affect the cost of a control? A) Training fees B) Service costs C) Asset resell costs D) Maintenance costs Unlike other risk management frameworks, FAIR relies on the qualitative assessment of many risk components using scales with value ranges, for example very high to very low. A single loss expectancy is calculated by multiplying the asset value by the ____. A) annualized cost of the safeguard B) exposure factor C) annualized rate of occurrence D) asset value Economic and non-economic effects of a weakness must be evaluated after a strategy for dealing with a particular vulnerability has been selected. ____ feasibility examines whether the organization has access to the technology necessary to manage control alternatives. A) Political B) Operational C) Technical D) Organizational A cost-benefit analysis is conducted by subtracting the post-control annualized loss expectancy and the ____ from
the pre-control loss expectancy A) annualized cost of the safeguard B) exposure factor C) annualized rate of occurrence D) asset value A. annualized cost of the safeguard The ____ is the calculation of the value associated with the most likely loss from an attack. A) SLE B) ALE C) CBA D) ARO ____ is the process of
assigning financial value or worth to each information component. A) Asset valuation B) Cost-benefit analysis C) Auditing D) Accountability Avoidance of risk is the choice to forgo the use of security measures and accept loss in the event of an attack. What is the product of asset value and the exposure factor?SLE = asset value x exposure factor.
How do you calculate the exposure factor?It is calculated as follows: SLE = AV x EF, where EF is the exposure factor. Exposure factor describes the loss that will happen to the asset as a result of the threat (expressed as percentage value). SLE is $30,000 in our example, when EF is estimated to be 0.3.
What is exposure factor Cissp?The exposure factor is the measure or percent of damage that a realized threat would have on a specific asset. Conduct a threat analysis (ARO)—The purpose of a threat analysis is to determine the likelihood of an unwanted event. The goal is to estimate the annual rate of occurrence (ARO).
How much is the exposure factor in single loss expectancy?As an example, if the asset value is reduced by two thirds, the exposure factor value is 0.66. If the asset is completely lost, the exposure factor is 1.
|